CVE-2020-3153

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.9 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

4.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:N/C:N/I:C/A:N

Exploitability : 3.9 / Impact : 6.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/43	Exploit Mailing List Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj	Vendor Advisory
http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html	Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2020/Apr/43	Exploit Mailing List Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:windows:*:*

History

21 Nov 2024, 05:30

Type	Values Removed	Values Added
References	~~() http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry
References	~~() http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry
References	~~() http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html - Exploit, Third Party Advisory, VDB Entry
References	~~() http://seclists.org/fulldisclosure/2020/Apr/43 - Exploit, Mailing List, Third Party Advisory~~	() http://seclists.org/fulldisclosure/2020/Apr/43 - Exploit, Mailing List, Third Party Advisory
References	~~() https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj - Vendor Advisory~~	() https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj - Vendor Advisory

Information

Published : 2020-02-19 20:15

Updated : 2025-02-24 15:34

NVD link : CVE-2020-3153

Mitre link : CVE-2020-3153

CVE.ORG link : CVE-2020-3153

JSON object : View

Products Affected

cisco

anyconnect_secure_mobility_client

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2020-3153", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:N", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.0}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.0}]}, "published": "2020-02-19T20:15:15.113", "references": [{"url": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "psirt@cisco.com"}, {"url": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "psirt@cisco.com"}, {"url": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "psirt@cisco.com"}, {"url": "http://seclists.org/fulldisclosure/2020/Apr/43", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "psirt@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}, {"url": "http://packetstormsecurity.com/files/157340/Cisco-AnyConnect-Secure-Mobility-Client-4.8.01090-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://packetstormsecurity.com/files/158219/Cisco-AnyConnect-Path-Traversal-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://packetstormsecurity.com/files/159420/Cisco-AnyConnect-Privilege-Escalation.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2020/Apr/43", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@cisco.com", "description": [{"lang": "en", "value": "CWE-427"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system."}, {"lang": "es", "value": "Una vulnerabilidad en el componente installer de Cisco AnyConnect Secure Mobility Client para Windows, podr\u00eda permitir a un atacante local autenticado copiar archivos suministrados por el usuario hacia directorios de nivel de sistema con privilegios de nivel system. La vulnerabilidad es debido al manejo incorrecto de las rutas de directorio. Un atacante podr\u00eda explotar esta vulnerabilidad mediante la creaci\u00f3n de un archivo malicioso y al copiar el archivo en un directorio del sistema. Una explotaci\u00f3n podr\u00eda permitir al atacante copiar archivos maliciosos en ubicaciones arbitrarias con privilegios de nivel system. Esto podr\u00eda incluir la precarga de DLL, el secuestro de DLL y otros ataques relacionados. Para explotar esta vulnerabilidad, el atacante necesita credenciales v\u00e1lidas sobre el sistema Windows."}], "lastModified": "2025-02-24T15:34:56.417", "cisaActionDue": "2022-11-14", "cisaExploitAdd": "2022-10-24", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:anyconnect_secure_mobility_client:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4A0666B9-0A5B-4DBE-8779-E1638AF985E9", "versionEndExcluding": "4.8.02042"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability"}

6.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

4.9 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-3153

6.5^/10

4.9^/10

Attach tags to `CVE-2020-3153`